Audi Connect NFC key

So I know someone who has a recent Audi Q5 told me about using their phone as a car key, so I looked it up a bit. Audi’s site isn’t too clear on how it all works but just as a thought experiment I want to figure out how to clone it to my hand (no, I don’t want to break into their car). At some point when I have a bit more money I’ll probably snag a used Audi with that feature or get a Tesla and hack the shit out of it.

Audi’s site is a bit confusing as it talks about storing an ID in the SIM card and on the device but then go onto say “The Audi connect key is always ready for use, even if the smartphone’s battery is not charged (depends on specific model), because the NFC chip draws the energy it needs from an electromagnetic field produced by its counterpart”

Full text:

Audi has digitalized the conventional vehicle key and transferred it to the user’s smartphone in the form of the Audi connect key. It is used to unlock, lock and start the car. Communication between the vehicle and the smartphone is by near field communication (NFC). This technology refers to a standard in which data is transmitted over short distances by radio signal. To unlock the car, the driver holds the smartphone near the handle of the driver’s door which contains an NFC antenna. To start the engine, the phone is placed in the Audi phone box, which is also equipped with an NFC antenna.

The highly sensitive data of the digital key in the smartphone must be protected against read-out, duplication and manipulation. To do this, the Audi connect key is saved in a secure memory and execution environment within the smartphone, either on the SIM card or directly in the device. This secure element is connected directly to the NFC antenna via the single wire protocol (SWP) – which is another security advantage, because the smartphone’s operating system is not involved in the communication between the car and the smartphone.

In the future, customers will be able to share up to 15 keys over-the-air, e.g. with family members, friends or colleagues. The car recognizes the key owner when it is unlocked, and it loads a wide variety of settings from the user’s individual profile – ranging from seat position to air conditioning and navigation settings. This solution makes the one-to-one relationship between a vehicle key and a vehicle obsolete, because one smartphone can store keys for multiple vehicles. For situations in which the driver needs to share the Audi connect key for a short period of time, but the driver does not want to hand over the smartphone, an Audi connect key card in credit card format is available in the car. The driver can activate it and give it to valet parking personnel, for instance, or passed on in the case of a breakdown.

The Audi connect key is always ready for use, even if the smartphone’s battery is not charged (depends on specific model), because the NFC chip draws the energy it needs from an electromagnetic field produced by its counterpart.

Yeah there is a lot of word-salad in here… for example, Android phones don’t use secure elements anymore, that’s why Google had to create the Host Card Emulation feature. Apple iPhones, on the other hand, still do… I think.

Yes some phones with secure elements that are configured to operate as “field powered” devices can do this… but it is really going to be only certain iPhone models only. Other phone types can use the SIM card as a secure element for sensitive data storage, but SIMs cannot be field powered. Basically this whole idea was designed for payment, so you could still pay for crap with your phone even if the battery was dead.

Quite intriguing… next time I see my mechanic I may ask him about it - he specializes in German cars but mostly VWs and Audis. Ideally one could hijack the reader through the car’s canbus and just have it read a UID (insecure but easy) or a challenge-response with the Vivokey and a javacard applet. I’m trying to get into my Jetta’s canbus right now to do NFC unlock and startup but it’s proving to be quire a challenge. Just based on some initial things I’ve read I don’t expect mucking around with the NFC capability in an Audi will be an easy task, even registering your phone requires going to the dealer and having them verify your info.

Of course they do. AFAIK starting from Android 6.0 it was obligatory for hardware vendors, but it wasn’t done good way - there was masterkey in hardware but rest (application ones) in software. It seems they will fix it partially in Android 9.0 https://source.android.com/security/keystore .

Regarding SIM NFC model - this also is possible and I’ve seen it working in field few years ago- SIM based Visa/Mastercard payments on discharged Sony Xperia Z(model 1) . Don’t know how it was reailised in hardware but phone never use the battery ‘to the end’ and very minimal set of perphilials need minimal amount of energy. Problem is any action on SIM card requires cooperation with mobile network operator, especially in managed model(they say about 15 keys) and OTA updates. Nowadays banks go from SIM Centric NFC model to HCE, but maybe Audi did otherwise. It’s probably nothing impossible to move this technology to implant, but if bet if they did that ammount of effort to integrate with mobile network operators SIM cards, they secured this propery -> you will not clone secret keys of that card without some friend in Russia torturing original chip with electron microscope and sulifc acid.

Ok I have it, it’s not about Audi only, it’s cooperation of whole sector, Tesla, GSMA , Apple: https://carconnectivity.org/ If I assume correctly and this will be holded on build-in eSIM as a whole managed by telecom operator and part by car vendor and it will be hard to tamper with it. I have idea how this may be bypassed (like satelite TV cards) but it’s a lot of effort to do this and before implanting if it’s not Desfire EV2 you will probably need custom chip

We’ve had our interactions with the CCC and with Tesla… so far Tesla is not a member… they prefer to do things their own way… but yeah NFC is part of the spec, not just phones… rings etc too are included.

I’m honestly just going to go around this and just hack an old fob open to do it. No real way to “hack” your car into turning on without a key in the vehicle.